Cyber Defense Magazinehttp://www.cyberdefensemagazine.com
The Premier Source For IT Security InformationTue, 03 Mar 2015 19:00:59 +0000en-UShourly1http://wordpress.org/?v=3.9.3Shadow Cloud Services a serious risk for Government Networkshttp://www.cyberdefensemagazine.com/shadow-cloud-services-a-serious-risk-for-government-networks/
http://www.cyberdefensemagazine.com/shadow-cloud-services-a-serious-risk-for-government-networks/#commentsTue, 03 Mar 2015 14:27:20 +0000http://www.cyberdefensemagazine.com/?p=7430Cloud Security Alliance revealed that shadow cloud service used by employees and unmanaged by IT can pose a major security problem for organizations.

Last month, Cloud Security Alliance found out that shadow cloud service used by employees and unmanaged by IT can pose a major security problem for organizations.

Based on the survey, mostly half of respondents have stated that their main fear relates to the violations of corporate data in the cloud. The threat posed by shadow cloud services is critical, it has serious repercussions on data security, business continuity and regulatory compliance. Security analysts have warned about how the growing use of a collection of web services, including cloud-hosted collaboration, file sharing, storage and social media services, that can expose to data leakages and data breaches company data leaks. The adoption of shadow cloud services is among the causes that can result in data exfiltration, malware infections and compliance problems.

Skyhigh Networks has recently conducted a survey that involved 200,000 employees working for organizations in the public sector based in U.S and Canada. The study found out that there is some 721 cloud service operation running inside government organizations, but the IT departments are aware only for the eight percent of them.

Shadow cloud services represent a serious risk to both government organizations and private companies.

“The past few years have marked a paradigm shift in IT’s role, from provider to enabler. This survey, the largest of its kind, illustrates that companies are aware of the consumerization of IT but have room to more proactively address the security concerns of cloud adoption” said Rajiv Gupta, CEO of Skyhigh.

Microsoft’s Office 365, Yammer and Hotmail were among the most popular collaboration services used by the employees working in the public sector.

The most commonly accessed file-sharing services included Dropbox, Box, Hightail and Google Drive, these cloud services are used by employees to store sensitive data a behavior that enlarge the surface of attack for government organizations.

The experts explain that also social media platforms and cloud-hosted collaboration platforms could expose government entities to cyber attacks id not properly managed.

According to Skyhigh the most popular social media services included Facebook, Twitter, LiveJournal and LinkedIn, meanwhile development services like GitHub and SourceForge are used by almost the totality of employees.

In some cases, the use of these services was approved by IT, but while in many other cases they were not with a significant impact on the security posture of the organizations.

“Government organizations tend to think of themselves as somehow different,” from private companies on the security front, said Rajiv Gupta. “What we found is there is as much risk of shadow IT in government as any other organization. People are people. They want to do things more efficiently.” In many cases, cloud services help them do that, with or without the IT organization’s help, he says.

It is very interesting to note that government IT has no idea of the shadow cloud services used by employees, this assertion is confirmed by data related to the apparent gap that exists between the perceived use of such services within public sector organizations and their actual use.

“For instance, when IT managers were asked to estimate DropBox use within their organizations, the average number tended to be around 16 percent. Actual use was much higher at 80 percent. Similarly, the gap between perceived and actual use of Apple’s iCloud was a remarkable 42 percent.” reports the Dark Reading in ablog post.

The data presented demonstrates that government IT has to improve the management of internal services with a specific focus on shadow cloud services.

]]>http://www.cyberdefensemagazine.com/shadow-cloud-services-a-serious-risk-for-government-networks/feed/0Twitter is tracking phone numbers to prevent trolls and abuseshttp://www.cyberdefensemagazine.com/twitter-is-tracking-phone-numbers-to-prevent-trolls-and-abuses/
http://www.cyberdefensemagazine.com/twitter-is-tracking-phone-numbers-to-prevent-trolls-and-abuses/#commentsMon, 02 Mar 2015 14:42:03 +0000http://www.cyberdefensemagazine.com/?p=7427Twitter announced that it is starting to track phone numbers of users as a measure to prevent abuses like the creation of new bogus accounts.

A few weeks ago, Twitter CEO Dick Costolo explained the difficulties the company is facing to prevent the abuse of its platform. Costolo revealed to be embarrassed for the company’s failures and would be operating to eliminate trolls and abuses.

“We suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years,” Costolo wrote in a memo obtained by The Verge. “It’s no secret and the rest of the world talks about it every day. We lose core user after core user by not addressing simple trolling issues that they face every day.”

Following the declaration of its CEO, Twitter announced that it is introducing new tools to eliminate harassment and any other behavior that violate company policies.

“now we’re making similar improvements around reporting other content issues including impersonation, self-harm and the sharing of private and confidential information. These changes will begin rolling out today and should reach all users in the coming weeks.” states Twitter in a blog post.

Among the changes announced by Twitter, all the users that will receive temporary bans will need to verify their email address or a phone number in order to resume their accounts.

Twitter starts tracking phone numbers of users as a measure to prevent abuses like the creation of new bogus accounts. Twitter could discourage fraudsters and harassers from creating fake accounts by checking phone numbers submitted by the users against a blacklist of abusers that have been already banned.

Twitter will ban its worst users as explained by Tina Bhatnagar, vice president of user services:

“Overall, we now review five times as many user reports as we did previously, and we have tripled the size of the support team focused on handling abuse reports,”

It is also the first time that Twitter allows users to report abuses of other accounts. According to Twitter, its news tools will allow users to report impersonation, self-harm, and the inappropriate posting of confidential and private data.

The goal of the company is to improve abuse reporting by making it easier for users to discriminate trolls.

Are the measures announced by Twitter enough to eliminate malicious accounts and any other kind of abuse?

Probably no, but it is a good start. The measure to track users requesting their mobile could be ineffective if a user asked to provide its phone number the first time will abandon his account and start illegal activities creating a new one. Twitter, in fact, will not request new users to provide phone numbers to verify their identity.

]]>http://www.cyberdefensemagazine.com/twitter-is-tracking-phone-numbers-to-prevent-trolls-and-abuses/feed/0Doubts about how CSE monitors Canadian emails to the Governmenthttp://www.cyberdefensemagazine.com/doubts-about-how-cse-monitors-canadian-emails-to-the-government/
http://www.cyberdefensemagazine.com/doubts-about-how-cse-monitors-canadian-emails-to-the-government/#commentsFri, 27 Feb 2015 15:47:52 +0000http://www.cyberdefensemagazine.com/?p=7423New secret documents leaked by Snowden reveal that CSE monitors millions of Canadian emails to Government, but privacy advocates criticized how CSE does it.

The national broadcaster Canadian Broadcasting Corporation (CBC), citing a 2010 NSA documents, revealed that the Canadian Intelligence monitors visits to government websites and scans about 400,000 emails per day for suspicious content, links or attachments, in order to protect the Homeland security. The surveillance activity run by the CSE allows the Intelligence to alert the Government in case of cyber attacks and to take countermeasures to protect computer networks from threat actors.

“The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.” states a report published by the Intercept.

The Intelligence is doing much more, electronic eavesdropping activity includes Canadians’ electronic tax returns, emails to members of Parliament and passport applications. The documents reveal that the CSE also holds on to metadata, which identifies who sent an email, as well as when and where.

One id the top-secret documents dated from 2010 suggests the CSE may be covertly mining data directly from Canadian Internet cables.

“processing emails off the wire” is reported in the document.

Under Canada’s criminal code, the CSE is not allowed to eavesdrop the communications of Canadians.

“But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.” states the Intercept

Privacy advocates are contesting the CSE agency for retention of sensitive data for months or years in some cases.

“While government cybersecurity is important, there is clearly no cybersecurity need to retain people’s private information for months or even years,” David Christopher of the non-profit OpenMedia, which advocates for an open Internet.

The CSE confirmed that the Agency doesn’t maintain emails if they don’t contain any cyber threat or information of interest.

“Under its cyber security mandate, CSE collects data and metadata that is relevant and necessary to understand the nature and methods of malicious cyber threats,” the spokesman said. “Data and metadata are deleted according to established data retention schedules that are documented in internal policies and procedures. To provide more detail could assist those who want to conduct malicious cyber activity against government networks.” a CSE spokesman told The Intercept and CBC News.

]]>http://www.cyberdefensemagazine.com/doubts-about-how-cse-monitors-canadian-emails-to-the-government/feed/0The Europol and security giants dismantled the Ramnit botnethttp://www.cyberdefensemagazine.com/the-europol-and-security-giants-dismantled-the-ramnit-botnet/
http://www.cyberdefensemagazine.com/the-europol-and-security-giants-dismantled-the-ramnit-botnet/#commentsThu, 26 Feb 2015 15:17:14 +0000http://www.cyberdefensemagazine.com/?p=7414The Ramnit botnet has been shut down in a joint effort by the Europol and the security firms Symantec, Microsoft, and Anubis Networks.

Another success For the Europol and its allies Microsoft, Symantec, and Anubis Networks. The organizations in a joint effort have shut down command and control servers of the popular Ramnit botnet. The Joint Cybercrime Action Taskforce* (J-CAT) and CERT-EU also provided a significant support to the operations.

“On 24 February, Europol’s European Cybercrime Centre (EC3) coordinated a joint international operation from its operational centre in The Hague, which targeted the Ramnit botnet that had infected 3.2 million computers all around the world.” states the official announcement issued by the Europol.

According to cyber security experts, the Ramnit is one of the world’s biggest botnets, which infected up to 3.2 million machines worldwide.

The group behind Ramnit botnet seems to be active since 2010, but quickly evolved in the time thanks continuous improvement. A botnet could be used for several fraudulent activities, Ramnit one was mainly used by crooks for financial frauds.

Police enforcement from several European countries, including Germany, Italy, the Netherlands, and the UK, have seized the control infrastructure for the Ramnit botnet.

“Representatives from the various countries, Microsoft, Symantec and AnubisNetworks worked together with Europol officials to shut down command and control servers and to redirect 300 Internet domain addresses used by the botnet’s operators.” reported the Europol.

Europol Deputy Director Operations, Wil van Gemert, has expressed its satisfaction for the operation highlighting the importance of collaboration between several entities to fight the criminal ring operating the Ramnit botnet.

“This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime,” said Wil van Gemart.

“We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes,”

Symantec published a blog post in which describes the evolution of the Ramnit agent since 2010, The experts revealed that the malicious code and its controllers rapidly evolved over the time.

The latest variant of Ramnit (W32.Ramnit.B) has abandoned the file infection routine and implemented a range of several alternative infection methods.

“Ramnit (W32.Ramnit) began life as worm, first appearing in 2010 and spreading quickly due to aggressive self-propagation tactics. Once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself. ” reported Symantec.

Microsoft and Symantec have released a removal tool for Ramnit, users that fear their computer may have been infected, could download the software. For further information please visit www.getsafeonline.org or www.cyberstreetwise.com.

]]>http://www.cyberdefensemagazine.com/the-europol-and-security-giants-dismantled-the-ramnit-botnet/feed/0Lenovo released an automatic removal tool for Superfish adwarehttp://www.cyberdefensemagazine.com/lenovo-released-an-automatic-removal-tool-for-superfish-adware/
http://www.cyberdefensemagazine.com/lenovo-released-an-automatic-removal-tool-for-superfish-adware/#commentsTue, 24 Feb 2015 14:55:19 +0000http://www.cyberdefensemagazine.com/?p=7399Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

Last week, the news of the presence of Superfish adware in the laptops sold by the Chinese Lenovo has captured the attention of the media. The presence of the Superfish malware exposes Lenovo users to hacking attacks, as explained by the cyber security expert Robert Graham in a blog post the malware hijacks and throws open encrypted connections, a circumstance that could be exploited by attackers to eavesdrop the users’ traffic.

Lenovo has intentionally pre-installed a malware on laptops, but once discovered has tried to remedy the problem by releasing a tool to remove the ,malicious “SuperFish” adware that the company had pre-installed onto many of its consumer-grade Lenovo laptops sold before January 2015.

Lenovo admitted that it was caught preloading a piece of adware that installed its own self-signing Man-in-the-Middle (MitM) proxy service that hijacked HTTPS connections, the company also informed its customers that it had “stopped Superfish software at beginning in January” 2015.

“We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday. Now we are focused on fixing it.” states an official statement released by Lenovo. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.”

Graham reverse engineered the malicious software in a debugger (or IDApro), the process allowed him to extract the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. By using the password an attacker can potentially inject malware or spy on a vulnerable Lenovo user sharing the same Wi-Fi network.

The US-CERT recently issued the Alert (TA15-051A) to warn Lenovo users about that fact that Superfish Adware is vulnerable to HTTPS Spoofing.

“Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.” states the alert. “Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.”

Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

“We apologize for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future,” states Lenovo. “In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate. That tool is here: http://support.lenovo.com/us/en/product_security/superfish_uninstall“

Once again, let me suggest verification of the presence of the Superfish Adware by using the test created by the researcher Filippo Valsorda.

Lenovo is in the storm one again, security experts discovered that the company is shipping laptops with Superfish malware , a malware that allows to steal web traffic using man-in-the-middle attacks. SuperFish is considered by many antivirus companies as a potentially unwanted program, adware, or a trojan.

The “Superfish” malware was installed on laptops sold until late last month, it was able to steal web traffic using fake, self-signed, root certificates to inject advertisements into sessions. Lenovo has removed Superfish the malicious software after numerous users reported the embarrassing discovery on its forums by claiming to be victims of attacks.

“A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that … Lenovo would facilitate such applications pre bundled with new laptops,” the user wrote on the Lenovo forums.

“I just bought a Lenovo G50 Notebook. And as you might guess it’s also “infected” with PUP (a SuperFish Software (that’s the one which displays ads on webpages)). So, now i try to clean up a brand new device. Sounds a bit absurd. What do you think?” said another user.

In the following image posted by one of the Lenovo users is visible a certificate masquerading as being issued by Bank of America.

Another victim posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.

“One screenshot taken by an unhappy user shows a certificate masquerading as being issued by Bank of America. Another user posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.” states The Register.

The Forum administrator Mark Hopkins explained that the new laptops will no longer be sold with Superfish. Lenovo has also asked the company behind the program to provide a software update to address these issues.

“Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” Hopkins said.

“As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.” “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

I don’t want to play with Hopkins’s statements, but it is evident that Lenovo has “temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues”. What does it mean?

Why not eliminate the malware definitively?

Facebook engineering director Mike Shaver raised the alarm about the ad/bloatware on Twitter, and found SuperFish certificates posted by different users had shared the same RSA key.

Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads? Someone tell me that’s not the world I’m in.

Unfortunately Factory pre-installed malware is not a new issue, it is already happened in the past, in some cases due to the poisoning of the supply chain, but in this case it seems to be that Lenovo was aware of the absurd practice.

]]>http://www.cyberdefensemagazine.com/lenovo-sold-laptop-with-pre-installed-superfish-malware/feed/0Ali Baba, the APT group from the Middle Easthttp://www.cyberdefensemagazine.com/ali-baba-the-apt-group-from-the-middle-east/
http://www.cyberdefensemagazine.com/ali-baba-the-apt-group-from-the-middle-east/#commentsThu, 19 Feb 2015 15:13:42 +0000http://www.cyberdefensemagazine.com/?p=7389Adrian Nish of BAE System presented the results of its investigation on the Ali Baba APT group operating from the Middle East that hit Western companies.

Yesterday the Kaspersky Lab team revealed the results of its investigation on the hacking crew dubbed the Equation group, a team of hackers that demonstrate extraordinary capabilities and sophisticated tactics, techniques, and procedures. Unfortunately, the number of ATPs is growing over the years, the majority of them goes under the radar for a long period.

In 2013, Adrian Nish of BAE Systems investigated on a cyber attack suffered by an engineering company in the UK that operates in the national power industry. The security experts discovered that hackers have compromised the company network for some time, exfiltrating any kind of information.

“The group has probably been working for about two years now,” Nish explained. “It’s an emerging trend in the Middle East. That’s a complicated region and the offensive side of things is becoming complicated there too. There’s offensive cyber companies and local malware authoring now.”

Nish identified the C&C servers used by the threat actors and discovered that Google was indexing some of the machines used by the hackers to siphon data. According to the researcher, the bad actors could be members of a pro-Iranian group and proved to have access to a wide set of hacking tools.

BAE firm dubbed the APT group Ali Baba because a code name in one of the tools belonging to their arsenal.

“They had taken network diagrams, usernames and credentials from an Israeli university and even an entire Web app that they stole from a group in the Middle East,” Nish said in a talk at the Kaspersky Lab Security Analyst Summit here Monday. “They had even stolen some signatures, physical signatures from people who had scanned them for some reason. What could possibly go wrong with that?”

Nish confirmed to have discovered nearly 40 distinct hacking tools, including five modules of custom malware, a key logger, a custom hash cracker and many others. The expert highlighted some interesting methods for defeating incident response on compromised networks and for data exfiltration.

Nish detailed one of the tools in the arsenal of the Ali Baba APT, Fakeddos.exe, that was used the hackers to generate large amounts of junk traffic on compromised networks, a tactic used by the threat actor to overwrite the logs of legitimate traffic making difficult investigation from security firms.

Ali Baba hackers used a singular exfiltration technique based on email, they disguised the outbound emails as Viagra spam messages to avoid detection of defense systems.

According to a report published by the security company Cylance, the UK firm wasn’t the unique known victim of the Ali Baba, the APT also had compromised transportation companies in South Korea and Pakistan. Cylance identified the hacking team as OpCleaver.

]]>http://www.cyberdefensemagazine.com/ali-baba-the-apt-group-from-the-middle-east/feed/0Carbanak cybergang swipes over $1 Billion from bankshttp://www.cyberdefensemagazine.com/carbanak-cybergang-swipes-over-1-billion-from-banks/
http://www.cyberdefensemagazine.com/carbanak-cybergang-swipes-over-1-billion-from-banks/#commentsWed, 18 Feb 2015 15:48:02 +0000http://www.cyberdefensemagazine.com/?p=7363The advances of the New York Times on the “Carbanak cybergang”

In Valentine’s Day, the New York Times published the news that a group of cybercriminals used a malware to steal at least $300 million from banks and other financial institutions worldwide. The journalists at The New York Times have seen a preview of a report written by the researchers from the Kaspersky Lab following the investigation on a criminal crew dubbed the “Carbanak cybergang”.

The hackers have named the criminal crew “Carbanak cybergang” because of the name of the malware they used to compromise computers at banks and other financial institutions. According to the experts at Kaspersky, the majority of victims was located in are in Russia, but many other infections have been detected in other countries, including Japan, Europe and in the United States.

“Our investigation began in Ukraine and then moved to Moscow, with most of the victims located in Eastern Europe. However thanks to KSN data and data obtained from the Command and Control servers, we know that Carbanak also targets entities in the USA, Germany and China. Now the group is expanding its operations to new areas. These include Malaysia, Nepal, Kuwait and several regions in Africa, among others. The group is still active, and we urge all financial organizations to carefully scan their networks for the presence of Carbanak. If detected, report the intrusion to law enforcement immediately” states the report from Kaspersky.”

Figure 1 – Map of Infections (Kaspersky Lab)

At the time of the disclosure of the news made by The New York Times, the researches at Kaspersky Lab haven’t revealed the names of the banks because of nondisclosure agreements, but according to the experts this malware based campaign could be one of the biggest bank thefts ever.

The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, according to the advances of the popular newspaper, the malicious campaign started in 2013 and there are strong indications that it may still be ongoing.

“In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.”reportedthe New York Times.

Initially, the news published by the New York Times reported that Kaspersky has evidence of thefts accounting for $300 million, despite experts speculate that the overall amount maybe three times in value.

Later, various news agencies reported that the hackers have stolen as much as $1 billion from more than targeted institutions in a string of attacks that borrow heavily from targeted attacks against sensitive government and industrial targets.

“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.” Chris Doggett, managing director of the Kaspersky Lab North America market, explained the Times.

How the “Carbanak cybergang” compromised its victims?

The investigation confirmed that the kill chain started with a spear phishing attack that targeted banks internal staff. The Carbanak cybergang used malicious emails to compromise banks’ computer systems, the messages sent to employees of the financial institutions included a link that once clicked triggered the download of a malware.

The Carbanak cybergang used the malware to collect information on the targeted organization, the attackers used the malicious code to find the employees who were in charge of cash transfer systems or ATMs and to gather information on the internal systems of the banks.

In a second phase of the attacks, the hackers installed a remote access tool (RAT) on the machines of those employees. Once infected the computers of the personnel in charge of cash transfer systems or ATMs, the attackers collected snapshots of victims’ screens and have studied what their daily activity in the bank.

In the last phase of the attack, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

“The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.” reported the New York Times

The managing director of the Kaspersky North America office in Boston, Chris Doggett, explained that the “Carbanak cybergang,” represents a significant increase in the sophistication of cyberattacks against financial organizations.

“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” Mr. Doggett said.

The US authorities and Interpol with the support of the Kaspersky Lab are already coordinating their efforts in a joint investigation.

“These attacks again underline the fact that criminals will exploit any vulnerability in any system,” said Sanjay Virmani, director of Interpol Digital Crime Center. “It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures.”

The Report issued by the Kaspersky Lab

The experts revealed that the discovery of the Carbanak cybergang was fortuitous, the researchers were investigating on an alleged Tyupkin infection of computer systems at a Ukraine bank. The investigation on the targeted ATMS did not reveal the presence of the Tyupkin malware, but the experts only discovered a VPN configuration (the netmask was set to 172.0.0.0) on the targeted machines.

A few months late Kaspersky was involved in another investigation on a case of a malware attack on a Russian bank. The experts discovered that attackers sent malicious email to employees of the bank with a CPL attachment although in other cases the bad actors attached Word documents exploiting known vulnerabilities.

“The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak.” Reports Kaspersky.

The analysts also speculate that attackers used as additional infection vector a classic drive-by-download attack because they have found evidence of the presence for the Null and the RedKit exploits kits.

After executing the shellcode, a backdoor based on banking malware Carberp is installed on the targeted system, the variant dubbed Carbanak was specifically designed for data exfiltration from targeted systems and allow remote control.

In order to avoid detection the threat actors also digitally signed some instances of the Carbanak malware.

Once compromised the machine, the hackers collect information regarding the relevant computers in the network with the intent to understand how a particular financial institution operates.

Figure 3 -Carbanak kill chain (Kaspersky Lab)

In order to acquire the knowledge about the internal processes of the banks the attackers recorded victims’ operations and took pictures of the screen while they are performing significant actions.

The experts identified the following Cash out the procedures used by the Carbanak cybergang to steal the money from the banks:

Inflating account balances – databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.

Controlling ATMs – ATMs were instructed remotely to dispense cash.

The report published by the Kaspersky Lab revealed that that financial losses could be as a high as $1 billion.

Detection and Mitigation

Kaspersky Lab has published a detailed report titled “CARBANAK APT THE GREAT BANK ROBBERY” that includes all the results for the investigation conducted by its experts. The document also includes a detailed list of the ioc indicators of compromise (IoC) for the Carbanak malware used by the hackers.

One of the best methods for detecting Carbanak on infected machine is to look for .bin files in the folder:

..\All users\%AppData%\Mozilla\

The malicious code, in fact, saves files in this location before send them command and control servers when an internet connection is available.

How to avoid the infection?

As usual, it is essential a proper security posture of the company to avoid to be a victim of such kind of attacks. Companies need to adopt a multi layered defensive system, they must update operating systems and applications, but most important is to train the internal staff on the cyber threats and the way to avoid them.

Below some general recommendations provided by Kaspersky:

Do not open suspicious emails, especially if they have an attachment;

Update your software (in this campaign no 0days were used);

Turn on heuristics in your security suites, this way it is more likely that such new samples will be detected and stopped from the beginning.

Editor-in-Chief at “Cyber Defense Magazine“, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US.

Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.

A few days ago I wrote about serious security issues for Microsoft mobile Outlook app, the researcher and Head of Development at midpoints GmbH and IBM Champion René Winkelmeyer published a blog post to warn about security issues in the newborn iOS Outlook app. According to the expert, the iOS Microsoft mobile Outlook app recently presented by the company, allows the it to access corporate emails and server credentials without user’s knowledge.

For this reason, the EU Parliament has blocked politicians from using the Microsoft mobile Outlook app in the wake of security and privacy concerns. The EU Parliament fears that members’ credentials could be exposed to a third party.

The DG ITEC, which is the IT department of the Parliament, has requested to the members of the EU Parliament to avoid the use of the application.

“Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password,” requested the DG ITEC,.

The experts at DG ITEC also invited the staff to remove the app if installed and to reset corporate email passwords if it was used.

Microsoft refused any claim, according to the Acompli firm that developed the mobile Outlook app before the acquisition by Microsoft, the service used credentials were “double-encrypted using a server per-account unique key” and a client device unique key meaning credentials could be unlocked only by the server and app at runtime.

A Microsoft spokesman explained that if customers have concerns though, they can follow guidance on Controlling Device Access on Microsoft TechNet to block the app and continue using the Outlook Web Access (OWA) for iOS and Android devices.

Let’s close the post highlighting a significant excerpt from the policy implemented by the software.

“… our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device [and] may be temporarily stored and indexed securely both in our servers and locally on the app on your deviceIf your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”

]]>http://www.cyberdefensemagazine.com/eu-parliament-bans-the-microsoft-mobile-outlook-app/feed/0Obama signed a new Executive Order on sharing cyber threat informationhttp://www.cyberdefensemagazine.com/obama-signed-a-new-executive-order-on-sharing-cyber-threat-information/
http://www.cyberdefensemagazine.com/obama-signed-a-new-executive-order-on-sharing-cyber-threat-information/#commentsMon, 16 Feb 2015 15:03:25 +0000http://www.cyberdefensemagazine.com/?p=7343The US President Obama has recently announced a new Executive Order Promoting Private Sector Cybersecurity Information Sharing.

The information sharing is a key element in the fight against the principal cyber threats, only by knowing the tactics techniques and procedures (TTPs) related to threat actors is possible to mitigate their malicious actions.

“Rapid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats.” states the Executive Order.

President Obama already urged cyber threat intelligence sharing with a previous executive order issued in February 2013. 2013 Executive Order highlighted the necessity to improve the information sharing process as part of a strategy to improve the Critical Infrastructure Cybersecurity.

This new Executive Order provides further details on information sharing, especially for the information exchange with the private industry.

“I am signing a new executive order to promote even more information sharing about cyber threats both within the private sector and between government and the private sector,” Obama explained at White House Summit on Cybersecurity and Consumer Protection in Stanford on Friday.

The Executive Order comes a few days after the announcement of the US Government to create a new Government Unit, the Cyber Threat Intelligence Integration Center, which is going to co-ordinate all the other Government units that work towards providing a more effective defence against cybercrime. The new center will fill the gaps that currently exist among the services, which lead to delays and miscomprehensions.

The Executive Order has highlighted the intent to protect the privacy and civil liberties by defining a common set of standards and protocols.

“So government can share with [private-industry] hubs more easily. It will make it easier for them to get classified cybersecurity threat information they need to protect their companies,” declared the President Obama.

The new Executive Order will encourage more private companies to set up hubs dedicated to threat information sharing with peers and government agencies, it was prepared with the following goals:

Encouraging Private-Sector Cybersecurity Collaboration

Enabling Better Private-Public Information Sharing

Providing Strong Privacy and Civil Liberties Protections

Paving the Way for Future Legislation

The US Government is also planning to create a new agency dedicated to cyber security in response to the growing number of cyber attacks American firms like Sony and JP Morgan.